Medium severity5.3NVD Advisory· Published May 14, 2024· Updated Apr 15, 2026
CVE-2024-34914
CVE-2024-34914
Description
php-censor v2.1.4 and fixed in v.2.1.5 was discovered to utilize a weak hashing algorithm for its remember_key value. This allows attackers to bruteforce to bruteforce the remember_key value to gain access to accounts that have checked "remember me" when logging in.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
php-censor/php-censorPackagist | >= 2.1.0, < 2.1.5 | 2.1.5 |
php-censor/php-censorPackagist | < 2.0.13 | 2.0.13 |
Patches
17b011d1b60f5Fixed security issue with remember me key in auth. See: https://chmod744.super.site/redacted-vulnerability.
1 file changed · +2 −2
src/Controller/SessionController.php+2 −2 modified@@ -135,7 +135,7 @@ public function login() $key = $user->getProviderKey(); $isLoginFailure = !isset($providers[$key]) || !$providers[$key]->verifyPassword($user, $password); } else { - // Ask each providers to provision the user + // Ask each provider to provision the user foreach ($providers as $provider) { $user = $provider->provisionUser($email); if ($user && $provider->verifyPassword($user, $password)) { @@ -150,7 +150,7 @@ public function login() $_SESSION['php-censor-user-id'] = $user->getId(); if ($rememberMe) { - $rememberKey = md5(microtime(true)); + $rememberKey = md5(random_bytes(64)); $user->setRememberKey($rememberKey); $this->userStore->save($user);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.